Conformity Assessment

Conformity Assessment is the formal evaluation process through which an accredited conformity assessment body (CAB) verifies that a trust service provider, wallet solution, or eID scheme meets the requirements laid down in the eIDAS regulation and its implementing acts. Under eIDAS 2.0, conformity assessment is a critical gateway to qualified status: a trust service provider cannot become a QTSP without first receiving a positive conformity assessment report, and the EUDIW must undergo certification that includes conformity assessment against defined security and functionality criteria.

The conformity assessment evaluates multiple dimensions: the provider's security policies and practices; the technical implementation of the service; operational procedures including incident handling and business continuity; the identity verification processes used; and compliance with relevant technical standards (such as ETSI EN 319 401 for trust service provider practices, or Common Criteria for wallet certification). Conformity assessments must be carried out by bodies that are accredited under Regulation (EC) No 765/2008 and have the necessary competence in the relevant area. Under eIDAS 2.

0, the conformity assessment requirements are extended to new trust services (such as electronic attestation of attributes and electronic archiving) and to wallet providers. The assessment must be repeated at regular intervals, at least every two years for QTSPs, and whenever there is a significant change to the service. For organisations aspiring to become QTSPs or wallet providers, understanding the conformity assessment process is essential for planning purposes.

The assessment can be time-consuming and requires thorough documentation, so early preparation is advisable. For relying parties, the conformity assessment provides assurance that the trust services and wallets they depend on meet a verified standard of quality and security.